Automic Workload Automation

Agent Version: version '12.0.3+build.791'

Windows 2016 server.

I am getting the following in the Agent log on Windows 2016:

20180618/132637.350 - U02001040 Error in function 'CreateProcessAsUser', error code '5', error description: 'Access is denied.'.
20180618/132637.366 - U02001000 Job 'MSSQL_T03_TEST' could not be started. Error code '5', error description: 'Access is denied.'.

I have granted the following to the user/group concerned:

1) Logon as batch job
2) Act as part of operation system
3) Create a token object
4) Replace a process level token

The same user/group works on Windows 2012 Server.

Firewall is disabled for tests

Anybody in the same situation?

Thanks,

Ray FOX

Is UAC enabled? Does turning it off make any difference?

Hi

did you grant ALL of the privileges to the user - mentioned here:

Automic 

cheers, Wolfgang

Thanks for your suggestions Wolfgang and Chandru.

I have found that McAfee Endpoint Security is the culprit. There are errors in the Windows Event Viewer as follows:

EventID=18060 NT AUTHORITY\SYSTEM ran UCXJWX6.EXE, which tried to access C:\AUTOMIC\AGENTS\WINDOWS\TEMP, violating the rule "Suspicious Double File Extension Execution", and was blocked. For information about how to respond to this event, see KB85494.

I disabled McAfee Endpoint Security and executed the job - it worked.

Ray

Great!

THX for the info!

cheers, Wolfgang

Hi,

The same situation we have experienced.We disabled McAfee Endpoint Security on server and solved.

Olgun.

Hi all,

We have seen this error for the first time today.

It is on a couple of new Windows2016 servers.

Likewise, we see this error in the log...

EventID=18060

NT AUTHORITY\SYSTEM ran UCXJWX6.EXE, which tried to access C:\AUTOMIC\AGENTS\WINDOWS\TEMP, violating the rule "Suspicious Double File Extension Execution", and was blocked. For information about how to respond to this event, see KB85494.

I don't really want to have to Disable McAfee Endpoint Security on all new Windows servers.

Any other option?

John.

Endpoint Security Natural Language String event messaging index 

Determine whether the behavior was expected:

• If expected, you must either:
  • Accept/ignore the data
  • Create an exclusion for the specified rule to exclude the process that is violating the rule
• If not expected, investigate the behavior further because either:
  • The behavior is occurring because of malware that has infiltrated the process
  • The behavior is normal and needs to be reclassified as expected behavior, in which case you would see the previous bullet for expected behavior

Hi John,

the problem McAffee has is the double extensions of the Job-Files in the temp directory (J******.TXT.BAT)
It should be possible to exclude only the double extension check for the servers with Automic Windows Agents.

Cheers, Philipp